|
||||||||||
Interface Network Gateway Wireless 192.168.10.0/24 192.168.20.1 ok that what my static route looks like. What that is saying is that any traffic from my 192.168.20.x/24 network to the destination network of 192.168.10.x/24, use the gateway of 192.168.20.1 (the wifi card) does that help? Chet Harvey Quoting Rodman Frowert <frowertr at i dash 1 dot net>: > Ok this is what I have got so far... > > I feel like an idiot. In the static routing page, I kept putting in the > OPT1 interface address for the gateway which is 10.10.10.1 instead of > putting in my LAN interface address which is 192.168.1.1. Duh! > > Now the problem I am getting is that when I ping the devices in my DMZ, I > get "TTL expired in transit". I think this is because I still don't have > the destination network setup properly. At least I got "somehwere". I > think... > > Rodman > ----- Original Message ----- > From: "Rodman Frowert" <frowertr at i dash 1 dot net> > Cc: <m0n0wall at lists dot m0n0 dot ch> > Sent: Tuesday, September 07, 2004 4:12 PM > Subject: Re: [m0n0wall] Unable to ping DMZ hosts from LAN > > > >I set that exact rule in my DMZ. I think my problem is with static > >routing. I really don't know what I am doing in there. Am I telling m0n0 > >that when I want to go to "x" network, it needs to use "y" router to get > >there? > > > > So, for interface on the Static Routing page, I would select LAN, correct? > > > Then I get lost when it asks for the destination network. Right now, my > > DMZ is set up as following: > > > > m0n0 OPT1 interface - 10.10.10.1 > > switch - 10.10.10.2 > > access point 1 - 10.10.10.3 > > access point 2 - 10.10.10.4 > > > > What would I put for destination network? For the gateway I am pretty > > sure I just give it my OPT1 interface which is 10.10.10.1 > > > > Thanks for all your continued help guys! > > > > Rodman > > > > > > ----- Original Message ----- > > From: "Chet Harvey" <chet at pittech dot com> > > To: "Terry Miller" <terry at millfam dot org> > > Cc: "'Rodman Frowert'" <frowertr at i dash 1 dot net>; <m0n0wall at lists dot m0n0 dot ch> > > Sent: Tuesday, September 07, 2004 2:19 PM > > Subject: RE: [m0n0wall] Unable to ping DMZ hosts from LAN > > > > > >> mmmm I don't agree with this as it would defeat the purpose of a DMZ. You > >> should be able to simply add a rule to allow all LAN traffic to the DMZ. > >> You > >> will need a static route from the LAN to the DMZ since they are on > >> different > >> networks. That should cover it. You would never want to allow any traffic > > >> from > >> the DMZ to your LAN unless it was for a specific reason. > >> > >> I have a net4521 with one wifi card for internal use (LAN) and the second > > >> as > >> the captive portal in "DMZ" mode. I also have the second NIC as a server > >> DMZ. > >> > >> I have one rule for each DMZ: > >> > >> Proto: Source: Port: Destination: Port: > >> * Lan * Opt2 * > >> > >> I also have a static route for LAN > DMZ > >> > >> > >> wish I could see my box from here so I could give a SS. > >> > >> > >> > >> Chet Harvey > >> Pitbull Technologies <http://www.pittech.com/> > >> Protecting your Digital Assets > >> 703.407.7311 > >> > >> > >> Quoting Terry Miller <terry at millfam dot org>: > >> > >>> There will also need to be a rule on the lan interface that allows > >>> traffic > >>> from the dmz to the lan. > >>> > >>> > >>> -----Original Message----- > >>> From: Rodman Frowert [mailto:frowertr at i dash 1 dot net] > >>> Sent: Tuesday, September 07, 2004 11:47 AM > >>> To: m0n0wall at lists dot m0n0 dot ch > >>> Subject: Re: [m0n0wall] Unable to ping DMZ hosts from LAN > >>> > >>> > >>> Hey Terry, > >>> > >>> Yes the machines (actually they are wireless access points) are set to > >>> respond to pings. I can ping them through the webgui interface of m0n0 > >>> just > >>> > >>> fine. They are also set to use m0n0 as their gateway. They work just > >>> fine > >>> as far as using them for access points for my hotspot. I just can't > >>> talk to > >>> > >>> them from my LAN. :-( > >>> > >>> >Do the firewalls allow telnet and ICMP? > >>> > >>> Well, they only firewall for my LAN device is: > >>> > >>> Proto: Source: Port: Destination: Port: > >>> * Lan net * * * > >>> > >>> I assume this would allow anything to pass to the DMZ (as well as > >>> everywhere > >>> > >>> else) as long as I don't specifically have a rule set for the DMZ > >>> interface > >>> to block LAN requests... > >>> > >>> I tried setting up a firewall rule in the DMZ and put it at the top that > >>> had: > >>> > >>> Proto: Source: Port: Destination: Port: > >>> * Lan net * DMZ * > >>> > >>> and... > >>> > >>> Proto: Source: Port: Destination: Port: > >>> * * * * * > >>> > >>> Neither of these had any effect. I still can't talk to any of the AP's > >>> in > >>> my DMZ from my LAN. > >>> > >>> Rodman > >>> > >>> ----- Original Message ----- > >>> From: "Terry Miller" <terry at millfam dot org> > >>> To: <m0n0wall at lists dot m0n0 dot ch> > >>> Sent: Tuesday, September 07, 2004 11:18 AM > >>> Subject: RE: [m0n0wall] Unable to ping DMZ hosts from LAN > >>> > >>> > >>> Is the machine in the dmz set to use monowall as the default gateway and > >>> respond to pings? Do the firewalls allow telnet and ICMP? > >>> > >>> I was just burned on step 1 last week. > >>> > >>> > >>> > >>> -----Original Message----- > >>> From: Rodman Frowert [mailto:frowertr at i dash 1 dot net] > >>> Sent: Tuesday, September 07, 2004 10:34 AM > >>> Cc: m0n0wall at lists dot m0n0 dot ch > >>> Subject: [m0n0wall] Unable to ping DMZ hosts from LAN > >>> > >>> > >>> Hey guys, > >>> > >>> I looked through the archives and didn't find any answers I thought > >>> would be > >>> > >>> beneficial to me so I thought I would ask. I can't seem to ping > >>> anything in > >>> > >>> the DMZ (other than my m0n0 DMZ interface) from my LAN. Now I can ping > >>> DMZ > >>> hosts from the m0n0 GUI, however. > >>> > >>> Is there something that is set that is preventing me from talking to DMZ > >>> hosts from my LAN? I only have one LAN rule and it is the default rule > >>> that > >>> > >>> was enabled with m0n0 was installed: Default LAN --> any. The DMZ > >>> rules I > >>> have set apply to what can come out of the DMZ only because this is my > >>> hotspot. > >>> > >>> I would like to eventually put a webserver in my DMZ, so you can imagine > > >>> I > >>> at least need telnet access to the machine from my LAN. > >>> > >>> My LAN is 192.168.1.x/24 > >>> My DMZ is 10.10.10.x/24 > >>> > >>> What am I missing? Am I going to have to bridge these two to do what I > >>> want > >>> > >>> to do? > >>> > >>> Rodman > >>> > >>> > >>> > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > >>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > >>> > >>> > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > >>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > >>> > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > >>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > >>> > >>> > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > >>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > >>> > >>> > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |